Skip to main content

Building cyber-resilient supply chains

In 2022-23, the manufacturing, retail trade and professional, scientific and technical services sector accounted for over 40% of ransomware-related cyber security incidents in Australia1.

Unlike the majority of supply chain disruptions, cyber-based threats like ransomware can cause sudden and systemic impacts to organisations or the wider ecosystem. They can be prolonged – beyond what is contemplated in most business continuity plans. These characteristics set them apart from traditional disruptions such as labour and raw material shortages, or power outages.

Once a cyber event occurs, organisations can be left paralysed without the ability to resume core operations. In some significant events we’ve encountered, core systems have been offline for more than a month. This outcome is engineered by design, increasing the attacker’s leverage to force a ransom payment.

In this tightly woven global system of producers, distributers and consumers, supply chain leaders face the challenge of ensuring their supply chain operations are resilient against such attacks. Digital technologies are already helping our supply chains become more transparent, efficient and agile, and will be core to future initiatives to improve industrial productivity. Yet as we grow our digital capabilities across ERP Solutions, advanced planning, customer and supplier integration and shopfloor automation using Cloud services and SaaS platforms, we also increase our systemic reliance on specific platforms, vendors or service providers. Moreover, it is not just the hosted services, but also the underlying infrastructure, integration and desktop solutions, which may contribute to an organisation’s overall cyber risk posture.

Whilst we have outsourced some of these services, we cannot absolve ourselves from the risk management of them, given their potential to cause a supply chain to stop. Therefore, the question for boards and executives is to ask whether the risk is truly understood and being managed holistically.

This blog explores the cyber risks for physical supply chains, common mistakes in mitigation approaches and where to begin on developing your resilience.

Case Study 1: The 2017 ‘NotPetya’ incident saw global supply networks halted due to a cyberattack on a shipping/logistics giant. Causing more than $10 billion across a global network of logistics, FMCG, suppliers and customers.2

Understanding the risks to our supply chains:
 

To understand the key risks to our operations we need to understand:

  • The third party landscape
  • Our dependencies on cyber-physical infrastructure (IT and OT convergence)
  • The focussing questions that we should ask

Third Party Risk and its impact on operations:

Our dependence on third-party software vendors, suppliers and service providers can introduce additional points of failure (or attack paths) in the network. This typically comes in a couple of forms:

  1. Service provider trusted connections.

    Service providers and OEM vendors often have trusted and privileged access to core systems. This often provides for remote support (e.g. from overseas) and these interfaces are a key target for attackers.

  2. Upstream or downstream dependencies.

    A cyber incident in a supplier or service provider causes the primary organisation to be unable to function effectively. For example, if a major logistics provider is paralysed by ransomware, this can cause cascading impact on the ability to ship product to customers.

  3. Software or hardware compromise.

    An attacker manages to compromise an OEM vendor’s product in a way that can be used to launch an attack.

Each of these three risk scenarios illustrate the need for a robust understanding of critical third parties, and where appropriate additional assessment, assurance or secondary mitigation (e.g. alternative supplier) to reduce this risk to within appetite. 

Figure 1. Complexity of Third Party Relationships3

Another area of emerging concern is the systemic and fast-moving nature of cyber-attacks, which has been demonstrated when multiple organisations have been impacted by the same attack group or the same software vulnerability. Partly explaining why some insurers are seeking to limit exposure to cyber-related risks and should feed into leadership thinking around whether an organisation has genuine resilience.

The convergence of IT and OT and what it means for cybersecurity:

In some sectors there is progressive convergence of IT and OT/ICS (operational technology/industrial control systems), and consumer-style IoT (Internet of things) sensors. This trend is sometimes diluting the hard separation between these domains and introducing new entry points for infiltrating the supply chain network and the ability to control critical physical assets. Ultimately more complexity makes this a harder risk to model.

However, as more software applications continue to be integrated into our most critical operational assets and physical systems, the potential ramifications exceed data and information breaches, and expand into potential misuse of physical assets leading to damage to property or harm to lives. Moreover, the security for IT applications differs to the security needed for OT systems, where making changes (e.g. applying security patches) can cause unintended consequences.4

Figure 2: Organisations experience the impacts and consequences of catastrophic cyber incidents in multiple areas5

The questions we need to be asking:

Given the complex nature of supply-chains and the high reliance on technology and automation, it’s usually not economically viable for an organisation to have a stance of zero risk tolerance, or to try and understand every rabbit-hole. 

In our experience of assisting organisations, it’s critical to form a pragmatic and balanced view of the risk. Some key questions to ask in this process are:

  • At a macro level, do we understand the criticality of our sites, business processes and key suppliers?
  • Do we understand the progressive impact of a sustained technology outage (e.g. at 48 hours, 1 week, 1 month) in OT or IT?
  • Have we done a comprehensive cyber-risk assessment, which considers secondary mitigations (e.g. carrying inventory, alternative suppliers) to provide a balanced view of the risk?
  • Do we understand the posture of our industrial control systems against the SANS ICS 5 Critical Controls?
  • Do we understand the blind spots in our knowledge, such as the posture of key suppliers or the cyber controls on key systems? These are areas where further discovery might be required to inform the risk.
  • Do we test the effectiveness of our controls to identify areas of false comfort?
Where do we go wrong and what is often overlooked:

We need to ensure that the right assessments are conducted and thoroughly address the critical risks our supply chain may be exposed to.

It is not uncommon for us to underestimate the risk of an attack on our supply chain assets. Whether we believe we are protected by the multitude of third-party vendors, or that our security practices are robust. However, if companies wait until after an attack to prepare their response strategies, cost to the business can be significant. Including loss of software and hardware, revenue from disrupted operations, customer trust and reputation and regulatory fines. 

Without the appropriate risk assessment and management procedures, organisations may be left without an ability to resume operations, rippling their issues to trading partners and consumers.

Case Study 2: Deloitte has worked with a large consumer goods producer in planning their compromised state. Understanding what it would take to operate in the absence of core functions and master data, and what are the critical enablers in the manufacturing process and what service compromises could be made to execute operations efficiently and effectively.

Overestimating the cost of a good mitigation strategy

Organisations may be initially deterred from embarking upon a comprehensive cybersecurity program including mitigation strategies, due to investment requirements. However efficient programs consider both the necessary strategies/controls, in line with the relevant investment parameters and the likelihood of an attack. Weighing the critical points of an organisations cyber posture, with what can be implemented in place of the impacted system.

Thinking of security as something we can buy

Business leaders tend to think of security as something we can buy with additional tools and features, rather than as a process. The development of response strategies require active participation in comprehensive cyber risk assessments to identify critical risks across the technology stack, collaboration with supply chain partners to develop response plans, training of key stakeholders and continuous monitoring of the organisations technological landscape.

Security is therefore something we practice, not something we reach as a destination.

How to build a cyber resilient supply chain:
 

With the right insight into our risk profile, a comprehensive cyber resilience program can be built to ensure that organisations implement proactive measures and bolster their defences.

Our ability to withstand cyber incidents relies on building a response playbook that identifies the networks critical paths, curates a compromised mode of operation, and efficiently communicates these plans across our network:

  1. Consider your critical assets and pathways

    To identify our assets and critical pathways which form the foundation of our cyber posture, rigorous cybersecurity risk assessments must be conducted, which also consider the impact of Third-Party Management and pathways.

    Different methodologies/guides can be adopted to better implement cybersecurity controls within our organisations. The ICS controls provide guidance for organisations to align our cybersecurity posture with the critical industrial controls, to create an efficient cybersecurity program for IT or OT.6

    We can also utilise an asset-led approach to analyse our supply chains, helping to highlight critical enablers within a business. By aligning resources with these critical points, businesses can efficiently prepare for a cyber event.

    Case Study 3:
    Recently, Deloitte New Zealand has seen the success of taking this asset-led approach working with a state-owned energy provider. There was an opportunity to enhance the resilience of the state’s critical infrastructure and uplift supply chain management practices.7

    In addition to the above, Australian entities who are looking to secure their supply chain must also consider the regulations of the Critical Infrastructure Risk Management program (CIRMP) framework. This provides a guideline for supply chains to drive resilience through identifying, assessing, and mitigating risks that could potentially disrupt or impact critical infrastructure.8

  2. Develop a Compromised Mode of operation (Plan B):

    A Compromised Mode of operation needs to answer the key questions:

    - What are the critical enablers of data flow?
    - What processes are required to ensure system function?
    - How can we simplify our operations when compromised?

    As supply chain and operations leaders, we should understand the effective responses for a cyber incident that are within our comfortable investment range. For instance, the baseline capability may be the creation of spreadsheets to mimic processes. On the other end of the spectrum, best practice may include backup solutions for Cloud-Based data storage – although a restored backup can often be just as susceptible to the original attack. A more creative solution could include the use of offline legacy systems as a fallback position.

    Plan ahead for the kind of service compromises you might make – which products will you stop producing? Which customers will you prioritise? What alternative sources of supply will you enact?

    The controls in place must be rigorously tested to ensure the compatibility of the strategies with the organisation, and the potential timeframe of an extended outage. Our network may be prepared and able to manage a 1-week outage, however, how do our plan B mitigation strategies manage for 6 weeks under the same stressors?

  3. Communicate and engage with your network

    What must our network know to successfully implement our ‘Plan B’ mode of operation?  Discussions with our network may include what the communication process looks when our operations are compromised, how are suppliers expected to participate in the contingency planning, and how long until complete capabilities are regenerated.

    The answers to these questions can then be built into contracts with customers and suppliers through Business Continuity Planning (BCP) and Service Level Agreements. For example, what are supplier/partner requirements for the turnaround of order and despatch.  Allowing both ourselves and our supply chain partners to be adequately prepared during our recovery. 
Conclusion
 

The development of a Compromised Mode is key to an agile and resilient network. We encourage you to ask: By creating comprehensive regeneration strategies, how much more resilient could my supply chain be?

Deloitte’s Supply Chain & Procurement and Cyber professionals provide comprehensive support in developing cyber-resilience programmes for government and private enterprise by utilising best practice frameworks, applied expertise and cyber assets. To begin your resilience journey, please contact us.  

About the authors:

Chris Coldrick
is a partner within Deloitte’s Supply Chain & Procurement practice. The practice focuses on supply chain strategy, synchronised planning & fulfilment, supply & digital procurement, manufacturing & smart operations, and embedding sustainable practices. David Owen is a partner in Deloitte’s Cyber and Privacy practice, which focuses on addressing complex cyber risk management challenges for enhanced client performance and resilience. 
References


1. ‘’ASD Cyber Threat Report 2022-2023’’, Australian Government, November 2023, (ASD Cyber Threat Report 2022-2023 | Cyber.gov.au).
2. ‘’The Untold Story of NotPetya, the Most Devastating Cyberattack in History.’’ Wired, August 2018, (The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED).
3. ’Third Party Governance & Risk Management, Turning Risk into opportunity’’. Deloitte, 2015
4. ‘’Is moving operational Technology to the cloud a good idea?’’, Security Roundtable, (Is Moving Operational Technology to the Cloud a Good Idea? (securityroundtable.org)).
5. ‘’Digital Resilience and Enterprise Recovery: Would your business survive a catastrophic cyber attack?’’, Deloitte, 2023, (deloitte-uk-digital-resilience-and-enterprise-recovery-whitepaper.pdf).
6. ‘’The Five ICS Cybersecurity critical controls.’’, SANS, November 2022,  (The Five ICS Cybersecurity Critical Controls (sans.org)).
7. ‘’Infrastructure with Impact. Enhancing Critical Infrastructure resilience in New Zealand.’’ PP. 60-61., Deloitte, (Deloitte’s Global Infrastructure Magazine | Edition #2).
8. ‘’Guidance for the Critical Infrastructure Risk Management Program’’, Cyber and Infrastructure Security Centre, Australian Government, February 2023,  (Guidance for the Critical Infrastructure Risk Management Program (cisc.gov.au)).